Re: PEAP not working with server certificate from Globalsign
- From: "Thomas K" <thomas@xxxxxxxxx>
- Date: Tue, 2 Aug 2005 23:07:38 +0200
Hey,
I am indeed using Cisco radius and NO MS IAS is not required :-)
Are you aware of cert provider supporting that EKU?
/T
"FenderAxe" <fa@xxxxxxx> wrote in message
news:Xns96A61D9E9C33faaxecom@xxxxxxxxxxxxxxxxx
> Your setup isn't clear -- you say you're using a Cisco RADIUS server? I
> think you have to be using MS IAS W2K3 to use PEAP. And yes, the IAS
> server
> cert must have the server authentication purpose in order for it to work
> properly. (The customer might have bought a cert with the "All" purpose
> thinking that would cover all purposes, but it doesn't work that way --
> the
> cert has to have the server cert purpose in EKU extensions. The All
> purpose
> has a different OID. Not sure since you didn't mention the purposes the
> cert does have.)
>
> "Thomas K" <thomas@xxxxxxxxx> wrote in
> news:dc4o0d$8tn$1@xxxxxxxxxxxxxxxxxxxx:
>
>> Hey guys,
>>
>> A customer has ordered a server certificate from Globalsign to use on
>> his Cisco ACS radius server.
>> Immediately upon receiving the server certificate, I noticed the
>> Enhanced Key Usage (=Server Authentication) field (OID
>> 1.3.6.1.5.5.7.3.1) was not there, which scared me as Microsoft list
>> this field as a requirement for client workstations to validate the
>> server certificate (see
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;814394).
>>
>> XP workstations should authenticate using PEAP-MSchapv2 but fail to do
>> so. Using a network sniffer, I see XP is sending an EAP message "TLS
>> encrypted alert".
>> The ACS server is responding with a RADIUS/Access/Reject & the access
>> point is then sending an EAP failure message.
>> Enabling tracing on XP, I see some interesting information in
>> EAPOL.LOG such as:
>> [2608] 10:59:29:285: ElSetEapUserInfo: Invalid blob data
>> [2608] 10:59:29:285: ElEapWork: Saved EAP data for user
>> [2608] 10:59:29:285: ElEapWork: Authentication FAILED
>> [2608] 10:59:29:285: Setting state AUTHENTICATING for port Carte
>> Mini-PCI réseau sans fil TrueMobile 1300 de Dell - Packet Scheduler
>> Miniport [2608] 10:59:29:285: FSMAuthenticating completed for port
>> Carte Mini-PCI réseau sans fil TrueMobile 1300 de Dell - Packet
>> Scheduler Miniport [2608] 10:59:29:285: TIMER: Restart PCB
>> Time: 2097148 [2608] 10:59:29:285: ElProcessEapFail: Got
>> EAPCODE_Failure [2608] 10:59:29:335: FSMHeld: EAP authentication
>> failed with error 0x30a [2608] 10:59:29:335: FSMHeld[SSID]: Deleting
>> user creds info on failure ...
>>
>> Do you have any idea what is the problem? Is the cause of all this the
>> missing "Server Authentication" EKU in the server certificate?
>> I know MS has partnered with Verisign to deliver WLAN server
>> certificate ... Do you know if Globalsign is able to supply that kind
>> of certificate too?
>>
>> Thx for your attention,
>>
>> Cheers,
>>
>> /T
>>
>>
>> begin 666 peap_failing.zip
>> Attachment saved: E:\Programs\Xnews\attachments\peap_failing.zip
>> `
>> end
>>
>>
>
>
>
> x-- 100 Proof News - http://www.100ProofNews.com
> x-- 30+ Days Binary Retention with High Completion
> x-- Access to over 1.9 Terabytes per Day - $8.95/Month
> x-- UNLIMITED DOWNLOAD
>
.
- References:
- Re: PEAP not working with server certificate from Globalsign
- From: FenderAxe
- Re: PEAP not working with server certificate from Globalsign
- Prev by Date: Re: PEAP not working with server certificate from Globalsign
- Next by Date: ISA - max Client count
- Previous by thread: Re: PEAP not working with server certificate from Globalsign
- Next by thread: ISA - max Client count
- Index(es):
Relevant Pages
|
